NIST maps the frontier of cloud forensics

Cloud computing helps to make data more accessible, but the same technologies that make it readily available – on-demand provisioning, reprovisioning and virtual environments – also can obscure it.

“With cloud computing, you really can’t see where the data is,” said Rose Shumba, director of the digital forensics and cyber investigation graduate program at the University of Maryland University College’s Center for Security Studies. A data center might have hundreds of servers hosting thousands of virtual machines being used in sequence by thousands of customers, and data can be replicated across multiple sites in different countries.

This is creating new challenges for digital forensics, complicating incident response and criminal and civil investigations into incidents and data in the cloud.

Forensics is the science of developing or extracting information for use in investigations. Digital forensics involves getting that information in a digital format, usually from a computer or some electronic media. It requires getting access to the device, locating the data and copying it and analyzing it to turn the data into information that can be used as evidence.

And as of now, there are no tools designed specifically to address the challenges of locating, isolating and preserving information from the cloud in a way that protects privacy and enables it to be used in court as evidence, Shumba said.

The National Institute of Standards and Technology has begun the task of addressing these challenges as part of its mandate to spur adoption of cloud computing. The NIST Cloud Computing Forensic Science Working Group has produced a draft interagency report that catalogs 65 challenges that have been identified by industry, academia and the legal community.

The cloud exacerbates many technological, organizational and legal challenges already faced by digital forensics examiners, the report notes, as well as creating some new ones.

Identifying these challenges is a first step. The next steps are to identify existing standards, best practices and tools that can address the challenges and then to identify gaps where new standards and technologies are needed.

“Standards are critical to ensure cost-effective and easy migration, to ensure that mission-critical requirements can be met and to reduce the risk that sizable investments may become prematurely technologically obsolete,” the report said.

But at the moment there are more gaps than standards, Shumba said. Cloud computing is so new that she is aware of few if any tools or tactics now available to solve these problems. She is glad to see NIST bringing the legal technical and academic communities being together over this issue.

“When I started in digital forensics, it meant acquiring data from a stand-alone computer,” Shumba said. Then mobile devices came along, creating a host of problems in accessing data on a multitude of new platforms. The challenges have been multiplied in cloud computing, where location and ownership of data might not be clear cut. Virtual machines in the cloud can be quickly created, used, released and reused, and there are no tools for securely wiping a previous owner’s data. There also is no protection against a subsequent user’s data overwriting a previous user’s.

The challenges identified by the NIST working group fall into nine broad categories:

Architecture

Data collection

Analysis

Anti-forensics – hiding or obscuring data

Trustworthiness of first responders to an incident

Roles of data owners, managers and users

Legal jurisdictions

Technical standards and practices

Training

A majority of the issues identified are technical in nature, and the rest are primarily legal and organizational issues. The technical issues involve the differences between the operating framework of cloud computing and traditional data center physical computing. The legal and organizational issues reflect the crossing of national borders as data is moved for operational redundancy, cost and reliability.

Draft interagency report NISTIR 8006 has been released for public comment. Comments should be made by July 21 to nistir8006@nist.gov.